INFRASTRUCTURE

The DDoS Smash-And-Grab: Be Prepared

You are more likely to fall victim to a DDoS attack as each day passes. Assume you will be a hacker's target, and get ready with a remediation plan.

Enterprises and governments connected to the Internet today must treat distributed denial-of-service (DDoS) attacks as an everyday occurrence. DDoS technology is not new, but unlike the old days of "low and slow," the current toolsets widely available to attackers allow even inexperienced users to execute sophisticated attacks with ease.

As hacker tools become easier to get in an active underground market, we will likely see the number of smash-and-grab attacks increase. Enterprises must do more to protect themselves, and be on alert for the use of DDoS attacks coupled with denial-of-service (DoS) attacks.

Attackers use DDoS as a smoke screen. This method allows them to tie up available resources, personnel, equipment, or bandwidth, in order to perpetrate a greater crime against an organization. These events cost organizations large sums of money in the form of service level agreements, service interruptions, and credit protection for clients affected by an attack against the enterprise.

The Internet loses massive amounts of bandwidth to these events daily. The financial industry estimates the cost of a DDoS attack at $100,000, and the costs add up per hour even before a mitigation effort begins. The additional cost of remediation and forensics for a DoS or DDoS attack could almost double the initial number by the time the process is completed.

As the current threatscape continues to evolve, we will witness more and more complex blended attacks. Some popular approaches use peer-to-peer (P2P) networks as ways to mount attacks. There are increasing numbers of attacks against social media sites using backend technologies such as WordPress and Joomla to target government agencies and other organizations, especially those in the oil and gas, manufacturing, healthcare and higher education sectors. These industries are often pursued for their intellectual property or research information.

The Prolexic Quarterly Global DDoS Attack Report Q3 reported that application attack vectors increased by almost 6%, from 17 to 23%, from the third quarter of 2012 to 2013. Infrastructure attacks, which totaled 77% in Q3 2013, continued to represent the majority of attacks observed and mitigated.

Worth noting was the increase of reflection-based DDoS attacks using the old but re-emerging character generator (CHARGEN) protocol, which has been seen in several recent campaigns as a primary attack vector. A significant shift to reflection-based attack vectors was observed across the board, rising 69% compared to the previous quarter and 265% when compared to the same quarter a year ago.

Increased DDoS attacks show the ongoing changes to the threatscape, and how easily businesses can be compromised. Enterprises must be more vigilant in their security programs and continue to evolve to combat this threat. Most importantly, they should have remediation plans in place.

Craig Treubig is managing principal consultant at Accuvant, with more than 17 years of information security and infrastructure security experience in consulting and enterprise environments.

"If your business wasn't a high risk candidate for DDoS last week--nothing has changed."

Well, there is some truth to that :-) Perhaps what's changing is the frequency and scale of the attacks? I can't speak to that pdrsonally, but if that's the trend then DDoS detection and mitigation may be even more important now than before as the exposure may be rising.

Not to cast aspersions on Prolexic's data, but the company's primary business is DDoS protection & mitigation services. In your practice do you see more of these attacks on companies that would not be considered high-value targets, or is there data from NIST or the FBI to that effect?

Yes, having a DDoS mitigation plan is a great idea, and attackers are moving up the stack. We did a full report on it. However, IT teams with limited resources need to prioritize.

Can you explain the reference to attackers "using backend technologies such as WordPress and Joomla to target government agencies and other organizations" - how does a CMS qualify as a tool for targeting other sites? Is this a reference to hacking servers running those products (maybe unpatched older versions) and then using those servers as a jumping off point for an attack on other sites? Or do WordPress and Joomla actually contain tools that can be misused for mounting attacks?